PatchSiren cyber security CVE debrief
CVE-2026-9486 SourceCodester CVE debrief
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in SourceCodester Student Grades Management System 1.0. The vulnerability affects an unspecified component and can be exploited remotely. According to the source record, an exploit has been publicly released. The vulnerability was published to the CVE List on 2026-05-25 and last modified on 2026-05-26. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no required privileges, and user interaction required, with low integrity impact. The weakness enumerations include CWE-352 (Cross-Site Request Forgery) and CWE-862 (Missing Authorization). The vendor attribution is marked as low confidence and requires review, with Vuldb identified as a reference domain candidate.
- Vendor
- SourceCodester
- Product
- Student Grades Management System
- CVSS
- LOW 2.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-25
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-25
- Advisory updated
- 2026-05-26
Who should care
Organizations running SourceCodester Student Grades Management System 1.0; security teams managing PHP-based academic or student information systems; developers maintaining CSRF protection in legacy web applications.
Technical summary
The vulnerability is classified as Cross-Site Request Forgery (CWE-352) with an additional weakness classification of CWE-862 (Missing Authorization). The CVSS 4.0 score of 2.1 reflects low severity due to required user interaction and limited integrity impact. The attack vector is network-based with low complexity, requiring no privileges but user interaction. The presence of a public exploit increases practical risk. The affected product is SourceCodester Student Grades Management System version 1.0; specific affected endpoints or parameters are not detailed in available sources. Vendor attribution carries low confidence and requires independent verification.
Defensive priority
low
Recommended defensive actions
- Review and validate CSRF token implementation in SourceCodester Student Grades Management System 1.0
- Implement or verify SameSite cookie attributes for session management
- Consider application-level CSRF protection mechanisms if not present
- Assess exposure of affected systems to untrusted network contexts
- Monitor for unauthorized state-changing requests in application logs
Evidence notes
CVE published 2026-05-25; modified 2026-05-26. CVSS 4.0 vector: AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P. Weaknesses: CWE-352, CWE-862. Vendor confidence: low, needs review. Exploit status: publicly released per source description.
Official resources
public